Week in review: DevOps security, macOS root password bug, and the evil of vanity metrics

Here’s an overview of some of last week’s most interesting news and articles:

Stealthy in-browser cryptomining continues even after you close window
Hackers are testing new ways for keeping browsers open and mining even if the users leave the mining website.

Infosec expert viewpoint: DevOps security
Four infosec experts weigh in on taking advantage of DevOps security to make enterprises more secure.

The evil of vanity metrics
With the fast-paced evolution of tools and connectedness in business operations, the amount of network and log data has exploded. However, organizations have largely failed to adjust their approach to managing and analyzing that growing collection of log data. Vanity metrics and the tools that produce them, namely the Security Information and Event Management (SIEM) solutions, stand at the forefront of the problem.

How secure are cryptocurrency mobile apps?
Are the mobile apps you’re using to store or handle your cryptocurrency stash, track the currencies’ price, or interact with cryptocurrency exchanges secure? Judging by the results of a recent audit by High-Tech Bridge, the chances are slim.

Credit card fraud down 29% for the first time
Iovation released data collected from its retail and e-commerce subscribers from the 2017 holiday weekend (Nov. 24 – 27, 2017).

Richard Ford: A physicist’s strange journey to become an infosec scientist
With an academic background in physics but an active interest in computing and hacking, Richard Ford, Chief Scientist at Forcepoint, started his career in the information security field when a visit-cum-job interview at Virus Bulletin ended up in him being installed as an editor at the publication.

To protect your network, you must first know your network
A sobering statistic regarding commonly used security controls was highlighted in a recent report. “Software and hardware inventory and valuation” was the least cited control, with only 16% of CISOs leveraging it.

Not everything is sophisticated, let’s keep it simple
We have perpetuated the myth that there is a category of malicious actors, who just by their membership in cybercrime are sophisticated. Yet the modus operandi of most of them is to simply trick someone into clicking a link in an email.

How organizations across industries create and manage policies
MetricStream evaluated 260+ organizations across 15 industries to understand the ways in which organizations create, manage, and communicate policies, the challenges they face, and the types of tools and technologies used to support policy management.

Triggered via malicious files, flaws in Cisco WebEx players can lead to RCE
Cisco has plugged six security holes in Cisco WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files that could be exploited by remote attackers to execute malicious code on a target system.

Three keys to making technical debt manageable
The concept of paying technical debt down is no different than paying down financial debt. The issue arises when a company has too much of it, and it never actually gets “paid back” or completed.

Tizi backdoor rooted Android devices by exploiting old vulnerabilities
Google has discovered and removed from Google Play a number of apps that contained the Tizi backdoor, which installs spyware to steal sensitive data from popular social media applications.

Critical macOS High Sierra bug allows easy root access
If you’re using a Mac, and are running macOS High Sierra, drop everything that you’re doing and go and apply this update.

Cut the FUD: Why Fear, Uncertainty and Doubt is harming the security industry
We need to stop fetishizing FUD and instead step up a meaningful dialogue around the most likely risks and how we can practically address them.

A look at the top seven ransomware attacks in the past decade
The top seven ransomware attacks within the past decade and how they managed to infiltrate networks around the world.

Enterprise security incident response trends to watch in 2018
Resolve Systems shared the top trends to watch in 2018 relating to incident response and automation.

OpenEMR flaw leaves millions of medical records exposed to attackers
A vulnerability in the free, open source electronic medical record and medical practice management software OpenEMR can be exploited to steal patients’ medical records and other personally identifiable information, Risk Based Security warns.

No key required: How thieves use relay boxes to steal cars
Criminals equipped with relay boxes can unlock cars and drive away with them in under a minute.

10 tips to optimize security during the holidays
A team of security experts developed 10 recommendations focused on assisting security and IT teams with prioritizing and optimizing their security resources and investments as they deal with the typical increase in risk of exposure that comes with this time of year.

Have you been fooled by Russian propaganda? Facebook’s new tool will show you
Facebook will soon be creating a portal to enable users to learn which of the Internet Research Agency (a Russian propaganda outfit) Facebook Pages or Instagram accounts they may have liked or followed between January 2015 and August 2017.

Imgur confirms breach, 1.7 million users affected
Popular image hosting website Imgur has announced on Friday that hackers stole usernames and passwords of 1.7 million of its users. The breach dates back to 2014, when Imgur still encrypted the stored passwords with the SHA-256 algorithm, which has since been found too weak to withstand brute forcing.

New infosec products of the week​: December 1, 2017
A rundown of infosec products released last week.




Share this